Skip to main content

Platform Admin

Platform admins manage domains, users, organizations, and memberships across the entire DriftWise instance. Admin endpoints are under /api/v2/admin/ and require the is_platform_admin flag on the user record.

Authentication

All /api/v2/admin/* endpoints (except /admin/me) require an OIDC JWT via Authorization: Bearer <token>. API keys (dw2_ prefix) return 403 platform admin required — the RequirePlatformAdmin middleware rejects any caller whose auth_method is not oidc. In practice, admin operations are performed through the web UI; the curl examples below assume you have extracted a session JWT for scripting.

info

The first user who logs in with an allowed email domain is automatically promoted to platform admin.

Domain Allowlist

The domain allowlist controls which email domains can access DriftWise. Users with disallowed domains are rejected at login with 403.

List domains

curl "https://app.driftwise.ai/api/v2/admin/domains" \
  -H "Authorization: Bearer $OIDC_TOKEN"

Add a domain

curl -X POST "https://app.driftwise.ai/api/v2/admin/domains" \
  -H "Authorization: Bearer $OIDC_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domain": "acme.com" }'

Domain must contain a dot, no @ prefix, no http://. Automatically lowercased.

Remove a domain

curl -X DELETE "https://app.driftwise.ai/api/v2/admin/domains/<domain_id>" \
  -H "Authorization: Bearer $OIDC_TOKEN"
warning

Removing a domain immediately blocks login for users with that email domain. Existing sessions may continue for up to 30 seconds (cache TTL).

User Management

List users

curl "https://app.driftwise.ai/api/v2/admin/users?limit=100&offset=0" \
  -H "Authorization: Bearer $OIDC_TOKEN"

Returns: id, email, display_name, is_platform_admin, created_at.

Delete a user

curl -X DELETE "https://app.driftwise.ai/api/v2/admin/users/<user_id>" \
  -H "Authorization: Bearer $OIDC_TOKEN"

Soft-deletes the user (sets deleted_at, clears admin flag). Org memberships remain but auth is denied. You cannot delete yourself.

Organization Management

List organizations

curl "https://app.driftwise.ai/api/v2/admin/orgs" \
  -H "Authorization: Bearer $OIDC_TOKEN"

Create an organization

curl -X POST "https://app.driftwise.ai/api/v2/admin/orgs" \
  -H "Authorization: Bearer $OIDC_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "slug": "acme-corp",
    "display_name": "Acme Corporation"
  }'

New orgs start on the Free plan.

Membership Management

View a user's memberships

curl "https://app.driftwise.ai/api/v2/admin/users/<user_id>/memberships" \
  -H "Authorization: Bearer $OIDC_TOKEN"

Add a user to an org

curl -X POST "https://app.driftwise.ai/api/v2/admin/memberships" \
  -H "Authorization: Bearer $OIDC_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": "<user-uuid>",
    "org_id": "<org-uuid>",
    "role": "member"
  }'

Valid roles: owner, admin, member, viewer.

Membership creation checks the org's seat limit. If the limit is reached, returns 402 with:

{
  "error": "seat limit reached",
  "limit": 10,
  "used": 10,
  "plan": "team"
}

Remove a membership

curl -X DELETE "https://app.driftwise.ai/api/v2/admin/memberships/<membership_id>" \
  -H "Authorization: Bearer $OIDC_TOKEN"

Membership revocation propagates across pods within 30 seconds (cache TTL).

Audit Log

View all platform and org-scoped audit events:

curl "https://app.driftwise.ai/api/v2/admin/audit-log?limit=50&offset=0" \
  -H "Authorization: Bearer $OIDC_TOKEN"

See Audit Logs for details on what actions are logged.

Federation Info

The federation-info endpoint returns the platform's GCP Workload Identity Federation configuration for external CI systems that want to obtain short-lived credentials instead of storing long-lived API keys.

curl "https://app.driftwise.ai/api/v2/federation-info" \
  -H "Authorization: Bearer $OIDC_TOKEN"
warning

This endpoint rejects API key authentication. You must present an OIDC JWT from a platform administrator — API keys return 403.

Returns issuer_url, subject, audience, and service_account_email from the server's federation configuration:

{
  "issuer_url": "https://token.actions.githubusercontent.com",
  "subject": "repo:myorg/myrepo:ref:refs/heads/main",
  "audience": "https://driftwise-federation.example.com",
  "service_account_email": "[email protected]"
}

Returns 503 Service Unavailable when the server was booted without federation configuration — nothing to hand out.

Authentication

All admin endpoints (except /admin/me) require is_platform_admin. Admin status is checked via the auth middleware — there's no separate admin login flow.

The /admin/me endpoint is available to any authenticated user. For the first user on the platform, it triggers auto-promotion to admin.